build(deps): bump the gomod group with 15 updates

[dependabot]

Bumps the gomod group with 15 updates:

Package	From	To
github.com/cert-manager/cert-manager	1.15.3	1.16.0
golang.org/x/time	0.6.0	0.7.0
sigs.k8s.io/kustomize/kyaml	0.17.2	0.18.0
github.com/prometheus/common	0.59.1	0.60.0
golang.org/x/net	0.29.0	0.30.0
golang.org/x/sys	0.25.0	0.26.0
golang.org/x/term	0.24.0	0.25.0
golang.org/x/text	0.18.0	0.19.0
golang.org/x/tools	0.25.0	0.26.0
google.golang.org/genproto/googleapis/rpc	0.0.0-20240814211410-ddb44dafa142	0.0.0-20240903143218-8af14fe29dc1
google.golang.org/grpc	1.67.0	1.67.1
google.golang.org/protobuf	1.34.2	1.35.1
k8s.io/kube-openapi	0.0.0-20240430033511-f0e62f92d13f	0.0.0-20240903163716-9e1beecbcb38
k8s.io/utils	0.0.0-20240711033017-18e509b52bc8	0.0.0-20240921022957-49e7df575cb6
sigs.k8s.io/gateway-api	1.1.0	1.2.0

Updates github.com/cert-manager/cert-manager from 1.15.3 to 1.16.0

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.16.0

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

The cert-manager 1.16 release includes: new Helm chart features, more Prometheus metrics, memory optimizations, and various improvements and bug fixes for the ACME issuer and Venafi Issuer.

📖 Read the complete 1.16 release notes at cert-manager.io.

⚠️ Known issues

1. Helm Chart: JSON schema prevents the chart being used as a sub-chart on Rancher RKE.
2. ACME DNS01 ClusterIssuer fail while loading credentials from Secret resources.

❗ Breaking changes

1. Helm schema validation may reject your existing Helm values files if they contain typos or unrecognized fields.
2. Venafi Issuer may fail to renew certificates if the requested duration conflicts with the CA’s minimum or maximum policy settings in Venafi.
3. Venafi Issuer may fail to renew Certificates if the issuer has been configured for TPP with username-password authentication.

📖 Read the complete 1.16 release notes at cert-manager.io.

📜 Changes since v1.15.0

📖 Read the complete 1.16 release notes at cert-manager.io.

Feature

• Add SecretRef support for Venafi TPP issuer CA Bundle (#7036, @sankalp-at-gh)
• Add renewBeforePercentage alternative to renewBefore (#6987, @cbroglie)
• Add a metrics server to the cainjector (#7194, @wallrj)
• Add a metrics server to the webhook (#7182, @wallrj)
• Add client certificate auth method for Vault issuer (#4330, @joshmue)
• Add process and go runtime metrics for controller (#6966, @mindw)
• Added app.kubernetes.io/managed-by: cert-manager label to the cert-manager-webhook-ca Secret (#7154, @jrcichra)
• Allow the user to specify a Pod template when using GatewayAPI HTTP01 solver, this mirrors the behavior when using the Ingress HTTP01 solver. (#7211, @ThatsMrTalbot)
• Create token request RBAC for the cert-manager ServiceAccount by default (#7213, @Jasper-Ben)
• Feature: Append cert-manager user-agent string to all AWS API requests, including IMDS and STS requests. (#7295, @wallrj)
• Feature: Log AWS SDK warnings and API requests at cert-manager debug level to help debug AWS Route53 problems in the field. (#7292, @wallrj)
• Feature: The Route53 DNS solver of the ACME Issuer will now use regional STS endpoints computed from the region that is supplied in the Issuer spec or in the AWS_REGION environment variable. Feature: The Route53 DNS solver of the ACME Issuer now uses the "ambient" region (AWS_REGION or AWS_DEFAULT_REGION) if issuer.spec.acme.solvers.dns01.route53.region is empty; regardless of the flags --issuer-ambient-credentials and --cluster-issuer-ambient-credentials. (#7299, @wallrj)
• Helm: adds JSON schema validation for the Helm values. (#7069, @inteon)
• If the --controllers flag only specifies disabled controllers, the default controllers are now enabled implicitly. Added disableAutoApproval and approveSignerNames Helm chart options. (#7049, @inteon)
• Make it easier to configure cert-manager using Helm by defaulting config.apiVersion and config.kind within the Helm chart. (#7126, @ThatsMrTalbot)
• Now passes down specified duration to Venafi client instead of using the CA default only. (#7104, @Guitarkalle)
• Reduce the memory usage of cainjector, by only caching the metadata of Secret resources. Reduce the load on the K8S API server when cainjector starts up, by only listing the metadata of Secret resources. (#7161, @wallrj)
• The Route53 DNS01 solver of the ACME Issuer can now detect the AWS region from the AWS_REGION and AWS_DEFAULT_REGION environment variables, which is set by the IAM for Service Accounts (IRSA) webhook and by the Pod Identity webhook. The issuer.spec.acme.solvers.dns01.route53.region field is now optional. The API documentation of the region field has been updated to explain when and how the region value is used. (#7287, @wallrj)
• Venafi TPP issuer can now be used with a username & password combination with OAuth. Fixes #4653. Breaking: cert-manager will no longer use the API Key authentication method which was deprecated in 20.2 and since removed in 24.1 of TPP. (#7084, @hawksight)

... (truncated)

Commits

• 67c897d Merge pull request #7325 from cert-manager-bot/cherry-pick-7323-to-release-1.16
• 3470785 make update-base-images
• f9e8aa6 Merge pull request #7324 from cert-manager-bot/cherry-pick-7321-to-release-1.16
• d09894c BOT: run 'make upgrade-klone' and 'make generate'
• f98340d Merge pull request #7319 from cert-manager-bot/cherry-pick-7317-to-release-1.16
• 78dd1bf Update deployments and startupapi Job
• 8c46145 make generate-helm-schema generate-helm-docs
• 99dc5d2 Add extraEnv to webhook, cainjector, and startupapicheck
• e381fb0 Merge pull request #7318 from cert-manager-bot/cherry-pick-7315-to-release-1.16
• 514f559 Revert "Reduce load on the Kubernetes API server and reduce the peak memory u...
• Additional commits viewable in compare view

Updates golang.org/x/time from 0.6.0 to 0.7.0

Commits

• 772484e x/time/rate: correctly handle 0 limits
• See full diff in compare view

Updates sigs.k8s.io/kustomize/kyaml from 0.17.2 to 0.18.0

Release notes

Sourced from sigs.k8s.io/kustomize/kyaml's releases.

api/v0.17.3

chore

#5506: fix some comments #5693: fix: always show accumulation errors #5699: chore: add deprecation comment to commonLabels #5698: fix(namereference): add configuration for new admission API

Dependencies

#5734: Update kyaml to v0.17.2

Commits

• 2cd9a2e Merge pull request #5768 from dims/remove-starlark-support
• d32eacf Remove starlark support
• 88f19bf Merge pull request #5763 from koba1t/update_go_1.22.7
• a3c0b4a disable for a step to skip test when that is docs PR
• b67ce5b go work sync && ./hack/doGoMod.sh tidy
• 5ba8523 update go 1.22.7
• 4034e36 Add --helm-debug Flag to Kustomize for Enhanced Helm Debugging (#5751)
• c3872ce Merge pull request #5745 from isarns/master
• d35d21c Merge pull request #5760 from Kavinjsir/patch-docs
• a5f43ec style: linting
• Additional commits viewable in compare view

Updates github.com/prometheus/common from 0.59.1 to 0.60.0

Release notes

Sourced from github.com/prometheus/common's releases.

v0.60.0

What's Changed

• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#692
• slog: expose io.Writer by @​jkroepke in prometheus/common#694
• Synchronize common files from prometheus/prometheus by @​prombot in prometheus/common#695
• promslog: use UTC timestamps for go-kit log style by @​dswarbrick in prometheus/common#696
• feat: add promslog.NewNopLogger() convenience func by @​tjhop in prometheus/common#697
• Bump golang.org/x/net from 0.28.0 to 0.29.0 by @​dependabot in prometheus/common#699
• Bump golang.org/x/oauth2 from 0.22.0 to 0.23.0 by @​dependabot in prometheus/common#698
• Update supported Go versions by @​SuperQ in prometheus/common#700

Full Changelog: prometheus/common@v0.59.1...v0.60.0

Commits

• dae848d Update supported Go versions (#700)
• 63ff77e Bump golang.org/x/oauth2 from 0.22.0 to 0.23.0 (#698)
• b7aa68c Bump golang.org/x/net from 0.28.0 to 0.29.0 (#699)
• 4e3a6fd feat: add promslog.NewNopLogger() convenience func (#697)
• d66e745 promslog: use UTC timestamps for go-kit log style (#696)
• 14bac55 Merge pull request #695 from prometheus/repo_sync
• 8bc4cd5 Update common Prometheus files
• 40d6251 Merge pull request #694 from jkroepke/slog/writer
• fa21dfd Update common Prometheus files (#692)
• 5f9af24 slog: expose io.Writer
• See full diff in compare view

Updates golang.org/x/net from 0.29.0 to 0.30.0

Commits

• 6cc5ac4 go.mod: update golang.org/x dependencies
• f88258d websocket: update nhooyr.io/websocket to github.com/coder/websocket
• 7191757 http2: add support for net/http HTTP2 config field
• 4790dc7 http2: add support for server-originated pings
• 541dbe5 http2: add Server.WriteByteTimeout
• 3c333c0 route: fix address parsing of messages on Darwin
• See full diff in compare view

Updates golang.org/x/sys from 0.25.0 to 0.26.0

Commits

• 23b0dab unix: mark vgetrandom as non-escaping
• cbf0eb6 unix: fix grep syntax to work on non-GNU greps
• e7397b9 unix: update to Linux 6.11
• 981de40 unix: use vDSO for getrandom() on linux
• 48aad76 linux: add tcp_cc_info and its related types
• d58f986 all: fix some typos in comment
• 30de352 unix: fix Test{Fd,}Xattr failure on NetBSD
• 68ed59b windows/svc: fix printf(var) mistake detected by latest printf checker
• c08bc6e unix: update Go to 1.23.0
• See full diff in compare view

Updates golang.org/x/term from 0.24.0 to 0.25.0

Commits

• 9d5441a go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates golang.org/x/text from 0.18.0 to 0.19.0

Commits

• 3043346 x/text: Correct examples in number/doc
• 38a95c2 all: fix some comments
• 20097e4 all: fix printf(var) mistakes detected by latest printf checker
• See full diff in compare view

Updates golang.org/x/tools from 0.25.0 to 0.26.0

Commits

• 2ab3b51 go.mod: update golang.org/x dependencies
• 2683c79 gopls/internal/golang/stubmethods: rename analysis/stubmethods
• efd951d gopls/internal/analysis/stubmethods: merge into CodeAction
• d0d0d9e gopls/internal/cache: memoize dependent hash on analysisNode
• a19eef6 gopls/internal/cache: express packageHandle as a state machine
• dd745ec gopls/internal/test/marker: update regression test issue68918.txt
• a02ee35 go/analysis/passes/stdversion: reenable tests
• a24facf all: set gotypesalias=0 explicitly
• ce2a33e gopls/internal: fix extract refactor for cases with anonymous functions
• a2ff832 go/ssa: remove references to GOEXPERIMENT range
• Additional commits viewable in compare view

Updates google.golang.org/genproto/googleapis/rpc from 0.0.0-20240814211410-ddb44dafa142 to 0.0.0-20240903143218-8af14fe29dc1

Commits

• See full diff in compare view

Updates google.golang.org/grpc from 1.67.0 to 1.67.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.67.1

Bug Fixes

• transport: Fix a bug causing stream failures due to miscalculation of the flow control window in both clients and servers. (#7667)
• xds/server: Fix xDS Server memory leak. (#7681)

Commits

• 3f95b38 Update version to 1.67.1 (#7682)
• 4f6c5f2 xds/server: Fix xDS Server leak (#7664) (#7681)
• 935f8cb transport: Fix reporting of bytes read while reading headers (#7660) (#7667)
• 02bbb65 Change version to 1.67.1-dev (#7605)
• See full diff in compare view

Updates google.golang.org/protobuf from 1.34.2 to 1.35.1

Updates k8s.io/kube-openapi from 0.0.0-20240430033511-f0e62f92d13f to 0.0.0-20240903163716-9e1beecbcb38

Commits

• See full diff in compare view

Updates k8s.io/utils from 0.0.0-20240711033017-18e509b52bc8 to 0.0.0-20240921022957-49e7df575cb6

Commits

• See full diff in compare view

Updates sigs.k8s.io/gateway-api from 1.1.0 to 1.2.0

Release notes

Sourced from sigs.k8s.io/gateway-api's releases.

v1.2.0

On behalf of Kubernetes SIG Network, we are excited to announce the release of v1.2! This release includes the graduation of 3 features to the standard channel and the introduction of 4 new features to the experimental channel, along with several improvements in many project areas.

Breaking Changes

GRPCRoute and ReferenceGrant v1alpha2 removal

As per a previous deprecation notice, in this version, both Experimental and Standard channel CRDs will no longer serve the v1alpha2 versions of GRPCRoute and ReferenceGrant.

• Disable v1alpha2 versions for GRPCRoute and ReferenceGrant by @​youngnick in #3361

Upgrades

Before upgrading to Gateway API v1.2, you'll want to confirm that any implementations of Gateway API have been upgraded to support the v1 API version of these resources instead of the v1alpha2 API version. Note that even if you've been using v1 in your YAML manifests, a controller may still be using v1alpha2 which would cause it to fail during this upgrade.

Once you've confirmed that the implementations you're relying on have upgraded to v1, it's time to install the v1.2 CRDs. In most cases, this will work without any additional effort.

If you ran into issues installing these CRDs, it likely means that you have v1alpha2 in the storedVersions of one or both of these CRDs. This field is used to indicate which API versions have ever been used to persist one of these resources. Unfortunately, this field is not automatically pruned. To check these values, you can run the following commands:

kubectl get crd grpcroutes.gateway.networking.k8s.io -ojsonpath="{.status.storedVersions}"
kubectl get crd referencegrants.gateway.networking.k8s.io -ojsonpath="{.status.storedVersions}"

If either of these return a list that includes "v1alpha2", it means that we need to manually remove that version from storedVersions.

Before doing that, it would be good to ensure that all your ReferenceGrants and GRPCRoutes have been updated to the latest storage version:

crds=("GRPCRoutes" "ReferenceGrants")
for crd in "${crds[@]}"; do
output=$(kubectl get "${crd}" -A -o json)
</tr></table>

... (truncated)

Changelog

Sourced from sigs.k8s.io/gateway-api's changelog.

Release Process

Overview

The Gateway API project is an API project that has the following two components:

• Kubernetes Custom Resource Definitions (CRDs)
• Corresponding Go API in the form of sigs.k8s.io/gateway-api Go package

This repository is the home for both of the above components.

Versioning strategy

The versioning strategy for this project is covered in detail in the release documentation.

Releasing a new version

Writing a Changelog

To simplify release notes generation, we recommend using the Kubernetes release notes generator:

go install k8s.io/release/cmd/release-notes@latest
export GITHUB_TOKEN=your_token_here
release-notes --start-sha EXAMPLE_COMMIT --end-sha EXAMPLE_COMMIT --branch main --repo gateway-api --org kubernetes-sigs

This output will likely need to be reorganized and cleaned up a bit, but it provides a good starting point. Once you're satisfied with the changelog, create a PR. This must go through the regular PR review process and get merged into the main branch. Approval of the PR indicates community consensus for a new release.

Release Steps

The following steps must be done by one of the [Gateway API maintainers][gateway-api-team]:

For a PATCH release:

• Create a new branch in your fork named something like <githubuser>/release-x.x.x. Use the new branch in the upcoming steps.
• Use git to cherry-pick all relevant PRs into your branch.
• Update pkg/consts/consts.go with the new semver tag and any updates to the API review URL.
• Run the following command BASE_REF=vmajor.minor.patch make generate which will update generated docs with the correct version info. (Note that you can't test with these YAMLs yet as they contain references to elements which wont exist until the tag is cut and image is promoted to production registry.)
• Create a pull request of the <githubuser>/release-x.x.x branch into the release-x.x branch upstream (which should already exist since this is a patch release). Add a hold on this PR waiting for at least

... (truncated)

Commits

• f735045 chore: bump PR version for 1.2 (#3375)
• 76c3f4c Adding changelog for v1.2.0 (#3374)
• b311b1c mark the GatewayInfrastructure test as Provisional (#3373)
• 076d830 Docs: route rule name (#3299)
• 3b7ca06 fix the bad reference for grpcroute doc (#3369)
• 9f7dd62 Update release docs with new details (#3364)
• 9b0bda4 Update CHANGELOG with v1.2.0-rc2 details (#3363)
• ff6e320 Disable v1alpha2 versions for GRPCRoute and ReferenceGrant (#3361)
• 2263ec4 Fix a number of GEP stage errors (#3359)
• 5c5fc38 build(deps): bump mkdocs-material from 9.5.34 to 9.5.36 (#3352)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions